CRM Buyer Talkback
See Full Story
One of the common myths surrounding HIPAA is that it is not a privacy law at all, and that it weakened rather than strengthened individuals' rights to health information privacy. That's not the case at all, according to Deven McGraw, recently appointed director of the Center for Democracy & Technology's Health Privacy Project. "This is completely unfounded. Before the HIPAA Privacy Rule was enacted, there were no federal standards protecting the privacy and security of health information," McGraw said.
Not only is our information not private (and in the context of our government, which has allowed employers to "self insure", the information is available to our employers!!) but whenever you go to a medical care provider, you are asked to sign a HIPAA form allowing sharing of your information. So as with so many other "protections", the private sector quickly develops disclaimers and waivers to override any regulatory impediments. Even going for certain tests can subject you to repeat mailings for years of reminders. And if the recipient is an infant, and the private provider is a charitable entity, the infant can expect to get "fund raising" requests for years - despite repeated notifications to the charitable medical service providers that they are sending these to infants, please take them off their mailing lists...but obviously, the mailing list (and information that medical services have been provided in the past) has been passed on to a marketing company.
Not to mention all the "offers" by pharmaceutical companies to send free information about certain medications...you are then on a mailing list for anyone having anything to do with any of the ailments that the medication addresses.
So much for privacy!!
To talk about the myths surrounding HIPAA and privacy, you have to first read what HIPAA actually says about privacy. The definition of “privacy” is the individual's right to control access to and uses of identifiable personal information.
When the HIPAA Privacy Rule was first enacted by President Bush, it WAS in fact a privacy rule because it included YOUR right to control the uses and disclosures of YOUR protected health information. Here is what it said: “a covered health care provider must obtain the individual’s consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment, or health care operations.” 65 Fed. Reg. 82,462
Let's now look at the sentence in the 2002 amendments to the HIPAA Privacy Rule that eliminated privacy. Here is the sentence that eliminated YOUR right to control disclosures and uses of YOUR protected health information: “The consent provisions…are replaced with a new provision…that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and health care operations.”
67 Fed. Reg. at 53,211
It’s not rocket science. That single sentence means OTHERS decide when to use and disclose your protected health information, NOT YOU.
You cannot stop others from using your health information because they do not have to get your consent. AND there are no audit trails, so you have no way to find out how many times your medical records were used and disclosed or who used them. Today, every American’s protected health information us in thousands of secret data bases across the globe---we have no way to even tell how far our data has gone because they do not have to ask us to use our data and no audit trails exist.
OTHERS can decide to use your health information for any use they want, as long as it falls into one of three areas: for treatment purposes, for payment, or for healthcare operations. But, “healthcare operations” includes any business use such as SELLING your data. That is why HIPAA is the data mining industry’s dream regulation: it allows them to use and sell the most valuable and sensitive information about you on Earth: your health information, which means everything from your prescriptions to your genetic tests to your mental health records.
For example: take the prescription data mining industry. Every pharmacy in the US—all 51,000 of them—is data mined daily and your prescription records are sold to insurers, employers, and others. It does not matter if you pay cash.
In 2006, one prescription data miner, IMS Health, reported revenues of $2 billion. Did you give them permission to sell your prescriptions? Not one dime of that revenue goes to help one single sick person. We don’t even know how many prescription data miners there are: McKesson, Verispan, Allscripts, etc. We have no idea how big this one sector of the data mining industry is, but YOUR prescription records alone are worth billions of dollars/year. And that information is used to discriminate against you by employers and insurers.
Who are the OTHERS that can use and disclose your health information today? HIPAA grants permission to over 4 MILLION businesses including your doctors, hospital chains, pharmacies, government agencies, the insurance industry, the pharmaceutical industry, and self-insured employers. In turn, these providers can disclose your health information to millions of “business associates”, without your permission or knowledge.
That one sentence change in HIPAA was NEVER reported by the press, so the data mining industries, the federal government, and people like Kirk Nahra and Deven McGraw can pretend that HIPAA is still a “privacy rule” when it is now an “exposure rule”.
The right to control access to personal health information is the foundation of the trust Americans have had in the healthcare system. It is the foundation of the physician-patient relationship and every doctor swears the Oath of Hippocrates, promising never to share your secrets without your consent. Congress must restore our rights to health information privacy before the electronic health system becomes a vast superhighway for data mining.
For more information about privacy and to learn what you can do to help restore the privacy rights and the control you had over your medical records until 2002, please go to www.patientprivayrights.org
Deborah C, Peel, MD
Patient Privacy Rights